The U.K. Information Commissioner’s Office (ICO) which serves as the country’s data protection regulator has published an updated report on its research into the digital advertising industry and real-time bidding (RTB) practice. The updated report is in response to a series of complaints filed in the UK on the security and legality of the adtech and notabli the digital advertising ecosystem by activist groups such as Open Rights Group and Privacy International. The report focuses on (i) the processing of special data categories, (ii) data protection impact assessments and (iii) transparency.
RTB, although a very innovative means of advertising delivery which is greatly used by the industry because of its excellent results in the current commercially competitive ecosystem, might, according to the ICO, pose a risk for consumers as a result of its apparent low level of data protection. The report finds the industry to be non compliant with current personal data protection regulation (GDPR) and states: “The adtech industry appears immature in its understanding of data protection requirements… Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB.”
Some of the main ICO’s concerns with the current adtech/ digital advertising sectors include;
- Many organisations currently rely on “legitimate interest” as a legal basis under Article 6 of the GDPR to process data as part of RTB but the regulatory watchdog believes they need to obtain explicit consent. The extensive nature of data processing in RTB does not allow organisations to meet the legitimate interest lawful basis requirements. The industry has previously argued that this is highly restrictive for business to use other lawful bases because of the challenges associated with collecting valid consent, for example, under GDPR. This report therefore poses serious concerns for the future of RTB as an advertising delivery model. Legitimate interest as a lawful basis is not completely ruled out but organisations will have to demonstrate that “their use of personal data is proportionate, has minimal privacy impact and individuals would not be surprised or likely to object” which is still not yet the case of the current industry practices.
- Organisations also process sensitive data in the context of RTB which is strictly forbidden unless one of the conditions of Article 9 GDPR is satisfied such as obtaining explicit consent. Existing consent mechanisms that are industry initiatives are deemed to be lacking in fulfilling legal obligations mainly because they do not specifically point out that they process special category data neither do they mention which organisations do and why. Organisations should therefore obtain explicit consent or not process sensitive data at all.
- The whole procedure is found to be lacking in transparency by the ICO which estimates that privacy notices do not contain sufficient information for users on the use of RTB.
- Given the extensive sharing of data in this process, there is a huge risk that data can be breached which users are not aware of and current contractual controls are deemed not sufficient to guarantee an appropriate level of data protection.
- Few organisations in the industry undertake DPIAS (Data Protection Impact Assessments) whereas given the context of RTB and the fact it involves the use of new technologies and profiling of individuals on a large scale, this should be a mandatory process.
- Finally, industry initiatives just not sufficient, for the moment, to address the current concerns of users on the protection and safety of their data in the RTB context.
Whilst this report is not a formal legal decision against RTB, it is a clear signal to the industry that it needs to review its current practices or be ready to welcome a huge regulatory beatdown. Although the report did not single out any particular companies whose processing was specifically condemned, it did mention a six-month grace period during which the advertising industry can clean up its data practices.
The GDPR should not jeopardize your development but it does require significant changes for your organization. Compliance with this regulation ensures peace of mind for you as industry players and the development of a thriving industry.
A compliance audit is like a very thorough examination of conscience (and documentations!) that will guide you on the path of compliance (both yours and your ecosystem) and may encourage you to contribute to industry initiatives.
There are solutions to find that appropriate balance between regulations, regulators, users and industry. Check out our GDPR compliance audit tool!
Let’s get started!